@trusted and return ref
w0rp via Digitalmars-d-learn
digitalmars-d-learn at puremagic.com
Tue Mar 3 12:56:48 PST 2015
On Wednesday, 25 February 2015 at 06:48:17 UTC, Ola Fosheim
Grøstad wrote:
> On Tuesday, 24 February 2015 at 22:49:17 UTC, w0rp wrote:
>> In general, @trusted means "I have proven myself that this
>> code is actually safe, eeven though it uses unsafe features."
>> The compiler has to be pessimistic and assume that everything
>> which can be used unsafely will be used unsafely. @trusted, as
>> it is used here, is used to say, "I assure you I have used
>> this in a safe manner."
>
> From http://dlang.org/function.html#trusted-functions :
>
> «Trusted functions are guaranteed by the programmer to not
> exhibit any undefined behavior if called by a safe function.»
>
> I take this to mean that anything that is wrapped up in
> @trusted should not violate memory safety when in injected into
> any arbitrary context marked as @safe.
The key phrase is "guaranteed by the programmer." Which means
that the programmer, not the compiler, is providing a guarantee
that calling a @trusted function will not violate memory safety.
If the programmer cannot make that guarantee, the function should
be marked as @system instead. It's a mechanism which allows
humans to achieve something the compiler isn't capable of
achieving, at least at this point in time.
Much in the same way that a compiler cannot prove in general that
programs will terminate, it can be very difficult for a compiler
to prove that your program will not violate memory safety when
the language is capable of calling into C code, etc. If you don't
have an annotation like @trusted, the amount of code which could
be run from @safe functions would be very small indeed.
More information about the Digitalmars-d-learn
mailing list